@omnituum/pqc-shared 0.3.1 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/crypto/index.cjs +39 -71
- package/dist/crypto/index.d.cts +48 -45
- package/dist/crypto/index.d.ts +48 -45
- package/dist/crypto/index.js +33 -72
- package/dist/crypto/safe/index.cjs +556 -0
- package/dist/crypto/safe/index.d.cts +341 -0
- package/dist/crypto/safe/index.d.ts +341 -0
- package/dist/crypto/safe/index.js +524 -0
- package/dist/fs/index.cjs +6 -34
- package/dist/fs/index.js +6 -34
- package/dist/index.cjs +39 -71
- package/dist/index.d.cts +4 -4
- package/dist/index.d.ts +4 -4
- package/dist/index.js +33 -72
- package/dist/{integrity-Dx9jukMH.d.cts → integrity-BenoFsmP.d.cts} +1 -1
- package/dist/{integrity-CCYjrap3.d.ts → integrity-D9J98Bty.d.ts} +1 -1
- package/dist/{types-61c7Q9ri.d.ts → types-CRka8PC7.d.cts} +54 -2
- package/dist/{types-Ch0y-n7K.d.cts → types-CRka8PC7.d.ts} +54 -2
- package/dist/utils/index.d.cts +2 -3
- package/dist/utils/index.d.ts +2 -3
- package/dist/vault/index.cjs +13 -41
- package/dist/vault/index.d.cts +2 -3
- package/dist/vault/index.d.ts +2 -3
- package/dist/vault/index.js +13 -41
- package/package.json +13 -5
- package/src/crypto/dilithium.ts +8 -4
- package/src/crypto/hybrid.ts +13 -29
- package/src/crypto/index.ts +9 -1
- package/src/crypto/kyber.ts +80 -118
- package/src/crypto/safe/adapters.ts +306 -0
- package/src/crypto/safe/dilithium.ts +74 -0
- package/src/crypto/safe/index.ts +97 -0
- package/src/crypto/safe/kyber.ts +47 -0
- package/src/crypto/safe/manifests.ts +192 -0
- package/src/crypto/safe/secretbox.ts +24 -0
- package/src/crypto/safe/types.ts +88 -0
- package/src/crypto/safe/x25519.ts +31 -0
- package/src/index.ts +12 -4
- package/src/version.ts +9 -4
- package/dist/version-BygzPVGs.d.cts +0 -55
- package/dist/version-BygzPVGs.d.ts +0 -55
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Primitive identity manifests.
|
|
3
|
+
*
|
|
4
|
+
* Each manifest declares the expected algorithm name and byte sizes.
|
|
5
|
+
* Used by assertPrimitiveIdentity() to verify that the underlying library
|
|
6
|
+
* is the exact primitive we intended to wrap — not a swapped, compromised,
|
|
7
|
+
* or silently upgraded implementation.
|
|
8
|
+
*
|
|
9
|
+
* This catches:
|
|
10
|
+
* - wrong algorithm resolved behind the same import
|
|
11
|
+
* - changed encoding or key format after a dependency update
|
|
12
|
+
* - supply-chain substitution of a different primitive
|
|
13
|
+
* - silent API drift in key/signature sizes
|
|
14
|
+
*/
|
|
15
|
+
|
|
16
|
+
export interface SignatureManifest {
|
|
17
|
+
readonly algorithm: string
|
|
18
|
+
readonly publicKeyBytes: number
|
|
19
|
+
readonly secretKeyBytes: number
|
|
20
|
+
readonly signatureBytes: number
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
export interface KemManifest {
|
|
24
|
+
readonly algorithm: string
|
|
25
|
+
readonly encapsulationKeyBytes: number
|
|
26
|
+
readonly decapsulationKeyBytes: number
|
|
27
|
+
readonly ciphertextBytes: number
|
|
28
|
+
readonly sharedSecretBytes: number
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
export interface DhManifest {
|
|
32
|
+
readonly algorithm: string
|
|
33
|
+
readonly publicKeyBytes: number
|
|
34
|
+
readonly secretKeyBytes: number
|
|
35
|
+
readonly sharedSecretBytes: number
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
export interface SecretboxManifest {
|
|
39
|
+
readonly algorithm: string
|
|
40
|
+
readonly keyBytes: number
|
|
41
|
+
readonly nonceBytes: number
|
|
42
|
+
readonly tagBytes: number
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
// ---- Concrete manifests for Omnituum's primitives ----
|
|
46
|
+
|
|
47
|
+
export const ML_DSA_65: SignatureManifest = {
|
|
48
|
+
algorithm: 'ML-DSA-65',
|
|
49
|
+
publicKeyBytes: 1952,
|
|
50
|
+
secretKeyBytes: 4032,
|
|
51
|
+
signatureBytes: 3309,
|
|
52
|
+
} as const
|
|
53
|
+
|
|
54
|
+
export const ML_KEM_768: KemManifest = {
|
|
55
|
+
algorithm: 'ML-KEM-768',
|
|
56
|
+
encapsulationKeyBytes: 1184,
|
|
57
|
+
decapsulationKeyBytes: 2400,
|
|
58
|
+
ciphertextBytes: 1088,
|
|
59
|
+
sharedSecretBytes: 32,
|
|
60
|
+
} as const
|
|
61
|
+
|
|
62
|
+
export const X25519: DhManifest = {
|
|
63
|
+
algorithm: 'X25519',
|
|
64
|
+
publicKeyBytes: 32,
|
|
65
|
+
secretKeyBytes: 32,
|
|
66
|
+
sharedSecretBytes: 32,
|
|
67
|
+
} as const
|
|
68
|
+
|
|
69
|
+
export const XSALSA20_POLY1305: SecretboxManifest = {
|
|
70
|
+
algorithm: 'XSalsa20-Poly1305',
|
|
71
|
+
keyBytes: 32,
|
|
72
|
+
nonceBytes: 24,
|
|
73
|
+
tagBytes: 16,
|
|
74
|
+
} as const
|
|
75
|
+
|
|
76
|
+
// ---- Assertion helpers ----
|
|
77
|
+
|
|
78
|
+
export function assertSignaturePrimitive(
|
|
79
|
+
noble: {
|
|
80
|
+
keygen(seed?: Uint8Array): { publicKey: Uint8Array; secretKey: Uint8Array }
|
|
81
|
+
sign(message: Uint8Array, secretKey: Uint8Array): Uint8Array
|
|
82
|
+
verify(signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array): boolean
|
|
83
|
+
},
|
|
84
|
+
manifest: SignatureManifest,
|
|
85
|
+
): void {
|
|
86
|
+
const msg = new Uint8Array([0xde, 0xad, 0xbe, 0xef])
|
|
87
|
+
const { publicKey, secretKey } = noble.keygen()
|
|
88
|
+
const sig = noble.sign(msg, secretKey)
|
|
89
|
+
|
|
90
|
+
if (publicKey.length !== manifest.publicKeyBytes) {
|
|
91
|
+
throw new Error(
|
|
92
|
+
`${manifest.algorithm}: publicKey ${publicKey.length} bytes, expected ${manifest.publicKeyBytes}`,
|
|
93
|
+
)
|
|
94
|
+
}
|
|
95
|
+
if (secretKey.length !== manifest.secretKeyBytes) {
|
|
96
|
+
throw new Error(
|
|
97
|
+
`${manifest.algorithm}: secretKey ${secretKey.length} bytes, expected ${manifest.secretKeyBytes}`,
|
|
98
|
+
)
|
|
99
|
+
}
|
|
100
|
+
if (sig.length !== manifest.signatureBytes) {
|
|
101
|
+
throw new Error(
|
|
102
|
+
`${manifest.algorithm}: signature ${sig.length} bytes, expected ${manifest.signatureBytes}`,
|
|
103
|
+
)
|
|
104
|
+
}
|
|
105
|
+
if (!noble.verify(sig, msg, publicKey)) {
|
|
106
|
+
throw new Error(`${manifest.algorithm}: sign/verify roundtrip failed`)
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
export function assertKemPrimitive(
|
|
111
|
+
noble: {
|
|
112
|
+
keygen(): { publicKey: Uint8Array; secretKey: Uint8Array }
|
|
113
|
+
encapsulate(publicKey: Uint8Array): { ciphertext: Uint8Array; sharedSecret: Uint8Array }
|
|
114
|
+
decapsulate(ciphertext: Uint8Array, secretKey: Uint8Array): Uint8Array
|
|
115
|
+
},
|
|
116
|
+
manifest: KemManifest,
|
|
117
|
+
): void {
|
|
118
|
+
const { publicKey, secretKey } = noble.keygen()
|
|
119
|
+
const { ciphertext, sharedSecret: ss1 } = noble.encapsulate(publicKey)
|
|
120
|
+
const ss2 = noble.decapsulate(ciphertext, secretKey)
|
|
121
|
+
|
|
122
|
+
if (publicKey.length !== manifest.encapsulationKeyBytes) {
|
|
123
|
+
throw new Error(
|
|
124
|
+
`${manifest.algorithm}: encapsulationKey ${publicKey.length} bytes, expected ${manifest.encapsulationKeyBytes}`,
|
|
125
|
+
)
|
|
126
|
+
}
|
|
127
|
+
if (secretKey.length !== manifest.decapsulationKeyBytes) {
|
|
128
|
+
throw new Error(
|
|
129
|
+
`${manifest.algorithm}: decapsulationKey ${secretKey.length} bytes, expected ${manifest.decapsulationKeyBytes}`,
|
|
130
|
+
)
|
|
131
|
+
}
|
|
132
|
+
if (ciphertext.length !== manifest.ciphertextBytes) {
|
|
133
|
+
throw new Error(
|
|
134
|
+
`${manifest.algorithm}: ciphertext ${ciphertext.length} bytes, expected ${manifest.ciphertextBytes}`,
|
|
135
|
+
)
|
|
136
|
+
}
|
|
137
|
+
if (ss1.length !== manifest.sharedSecretBytes) {
|
|
138
|
+
throw new Error(
|
|
139
|
+
`${manifest.algorithm}: sharedSecret ${ss1.length} bytes, expected ${manifest.sharedSecretBytes}`,
|
|
140
|
+
)
|
|
141
|
+
}
|
|
142
|
+
if (ss2.length !== manifest.sharedSecretBytes) {
|
|
143
|
+
throw new Error(
|
|
144
|
+
`${manifest.algorithm}: decapsulated sharedSecret ${ss2.length} bytes, expected ${manifest.sharedSecretBytes}`,
|
|
145
|
+
)
|
|
146
|
+
}
|
|
147
|
+
for (let i = 0; i < ss1.length; i++) {
|
|
148
|
+
if (ss1[i] !== ss2[i]) {
|
|
149
|
+
throw new Error(`${manifest.algorithm}: encap/decap shared secrets differ at byte ${i}`)
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
export function assertDhPrimitive(
|
|
155
|
+
noble: {
|
|
156
|
+
getPublicKey(secretKey: Uint8Array): Uint8Array
|
|
157
|
+
getSharedSecret(secretKey: Uint8Array, publicKey: Uint8Array): Uint8Array
|
|
158
|
+
utils: { randomPrivateKey(): Uint8Array }
|
|
159
|
+
},
|
|
160
|
+
manifest: DhManifest,
|
|
161
|
+
): void {
|
|
162
|
+
const sk = noble.utils.randomPrivateKey()
|
|
163
|
+
const pk = noble.getPublicKey(sk)
|
|
164
|
+
|
|
165
|
+
if (pk.length !== manifest.publicKeyBytes) {
|
|
166
|
+
throw new Error(
|
|
167
|
+
`${manifest.algorithm}: publicKey ${pk.length} bytes, expected ${manifest.publicKeyBytes}`,
|
|
168
|
+
)
|
|
169
|
+
}
|
|
170
|
+
if (sk.length !== manifest.secretKeyBytes) {
|
|
171
|
+
throw new Error(
|
|
172
|
+
`${manifest.algorithm}: secretKey ${sk.length} bytes, expected ${manifest.secretKeyBytes}`,
|
|
173
|
+
)
|
|
174
|
+
}
|
|
175
|
+
|
|
176
|
+
// Generate second keypair, compute shared secret both ways
|
|
177
|
+
const sk2 = noble.utils.randomPrivateKey()
|
|
178
|
+
const pk2 = noble.getPublicKey(sk2)
|
|
179
|
+
const ss1 = noble.getSharedSecret(sk, pk2)
|
|
180
|
+
const ss2 = noble.getSharedSecret(sk2, pk)
|
|
181
|
+
|
|
182
|
+
if (ss1.length !== manifest.sharedSecretBytes) {
|
|
183
|
+
throw new Error(
|
|
184
|
+
`${manifest.algorithm}: sharedSecret ${ss1.length} bytes, expected ${manifest.sharedSecretBytes}`,
|
|
185
|
+
)
|
|
186
|
+
}
|
|
187
|
+
for (let i = 0; i < ss1.length; i++) {
|
|
188
|
+
if (ss1[i] !== ss2[i]) {
|
|
189
|
+
throw new Error(`${manifest.algorithm}: DH commutativity check failed at byte ${i}`)
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Safe secretbox (xsalsa20-poly1305) adapter.
|
|
3
|
+
*
|
|
4
|
+
* Object parameters + branded types.
|
|
5
|
+
*/
|
|
6
|
+
|
|
7
|
+
import { secretboxRaw, secretboxOpenRaw } from '../nacl'
|
|
8
|
+
import type { SymmetricKey, Nonce } from './types'
|
|
9
|
+
|
|
10
|
+
export function seal(params: {
|
|
11
|
+
key: SymmetricKey
|
|
12
|
+
plaintext: Uint8Array
|
|
13
|
+
nonce: Nonce
|
|
14
|
+
}): Uint8Array {
|
|
15
|
+
return secretboxRaw(params.key, params.plaintext, params.nonce)
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
export function open(params: {
|
|
19
|
+
key: SymmetricKey
|
|
20
|
+
ciphertext: Uint8Array
|
|
21
|
+
nonce: Nonce
|
|
22
|
+
}): Uint8Array | null {
|
|
23
|
+
return secretboxOpenRaw(params.key, params.ciphertext, params.nonce)
|
|
24
|
+
}
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Branded cryptographic types.
|
|
3
|
+
*
|
|
4
|
+
* Raw Uint8Array must never cross module boundaries without type branding.
|
|
5
|
+
* These types make argument inversion a compile-time error.
|
|
6
|
+
*/
|
|
7
|
+
|
|
8
|
+
// ---- Dilithium ML-DSA-65 ----
|
|
9
|
+
|
|
10
|
+
export type DilithiumSecretKey = Uint8Array & { readonly __brand: 'DilithiumSecretKey' }
|
|
11
|
+
export type DilithiumPublicKey = Uint8Array & { readonly __brand: 'DilithiumPublicKey' }
|
|
12
|
+
export type DilithiumSignature = Uint8Array & { readonly __brand: 'DilithiumSignature' }
|
|
13
|
+
|
|
14
|
+
export interface DilithiumKeyPair {
|
|
15
|
+
publicKey: DilithiumPublicKey
|
|
16
|
+
secretKey: DilithiumSecretKey
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
// ---- Kyber ML-KEM-768 ----
|
|
20
|
+
|
|
21
|
+
export type KyberEncapsulationKey = Uint8Array & { readonly __brand: 'KyberEncapsulationKey' }
|
|
22
|
+
export type KyberDecapsulationKey = Uint8Array & { readonly __brand: 'KyberDecapsulationKey' }
|
|
23
|
+
export type KyberCiphertext = Uint8Array & { readonly __brand: 'KyberCiphertext' }
|
|
24
|
+
export type SharedSecret = Uint8Array & { readonly __brand: 'SharedSecret' }
|
|
25
|
+
|
|
26
|
+
export interface KyberKeyPair {
|
|
27
|
+
encapsulationKey: KyberEncapsulationKey
|
|
28
|
+
decapsulationKey: KyberDecapsulationKey
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
export interface KyberEncapsulation {
|
|
32
|
+
ciphertext: KyberCiphertext
|
|
33
|
+
sharedSecret: SharedSecret
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
// ---- X25519 ----
|
|
37
|
+
|
|
38
|
+
export type X25519PublicKey = Uint8Array & { readonly __brand: 'X25519PublicKey' }
|
|
39
|
+
export type X25519SecretKey = Uint8Array & { readonly __brand: 'X25519SecretKey' }
|
|
40
|
+
|
|
41
|
+
export interface X25519KeyPair {
|
|
42
|
+
publicKey: X25519PublicKey
|
|
43
|
+
secretKey: X25519SecretKey
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
// ---- Symmetric ----
|
|
47
|
+
|
|
48
|
+
export type SymmetricKey = Uint8Array & { readonly __brand: 'SymmetricKey' }
|
|
49
|
+
export type Nonce = Uint8Array & { readonly __brand: 'Nonce' }
|
|
50
|
+
export type Message = Uint8Array & { readonly __brand: 'Message' }
|
|
51
|
+
|
|
52
|
+
// ---- Branding helpers ----
|
|
53
|
+
|
|
54
|
+
export function asMessage(data: Uint8Array): Message {
|
|
55
|
+
return data as Message
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
export function asDilithiumSecretKey(data: Uint8Array): DilithiumSecretKey {
|
|
59
|
+
return data as DilithiumSecretKey
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
export function asDilithiumPublicKey(data: Uint8Array): DilithiumPublicKey {
|
|
63
|
+
return data as DilithiumPublicKey
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
export function asKyberEncapsulationKey(data: Uint8Array): KyberEncapsulationKey {
|
|
67
|
+
return data as KyberEncapsulationKey
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
export function asKyberDecapsulationKey(data: Uint8Array): KyberDecapsulationKey {
|
|
71
|
+
return data as KyberDecapsulationKey
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
export function asX25519PublicKey(data: Uint8Array): X25519PublicKey {
|
|
75
|
+
return data as X25519PublicKey
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
export function asX25519SecretKey(data: Uint8Array): X25519SecretKey {
|
|
79
|
+
return data as X25519SecretKey
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
export function asSymmetricKey(data: Uint8Array): SymmetricKey {
|
|
83
|
+
return data as SymmetricKey
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
export function asNonce(data: Uint8Array): Nonce {
|
|
87
|
+
return data as Nonce
|
|
88
|
+
}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Safe X25519 adapter.
|
|
3
|
+
*
|
|
4
|
+
* Object parameters + branded types.
|
|
5
|
+
*/
|
|
6
|
+
|
|
7
|
+
import {
|
|
8
|
+
generateX25519Keypair as rawKeygen,
|
|
9
|
+
x25519SharedSecret as rawEcdh,
|
|
10
|
+
} from '../x25519'
|
|
11
|
+
import type {
|
|
12
|
+
X25519KeyPair,
|
|
13
|
+
X25519PublicKey,
|
|
14
|
+
X25519SecretKey,
|
|
15
|
+
SharedSecret,
|
|
16
|
+
} from './types'
|
|
17
|
+
|
|
18
|
+
export function keygen(): X25519KeyPair {
|
|
19
|
+
const kp = rawKeygen()
|
|
20
|
+
return {
|
|
21
|
+
publicKey: kp.publicBytes as X25519PublicKey,
|
|
22
|
+
secretKey: kp.secretBytes as X25519SecretKey,
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
export function sharedSecret(params: {
|
|
27
|
+
ourSecretKey: X25519SecretKey
|
|
28
|
+
theirPublicKey: X25519PublicKey
|
|
29
|
+
}): SharedSecret {
|
|
30
|
+
return rawEcdh(params.ourSecretKey, params.theirPublicKey) as SharedSecret
|
|
31
|
+
}
|
package/src/index.ts
CHANGED
|
@@ -5,7 +5,7 @@ import './runtime/crypto';
|
|
|
5
5
|
* Omnituum PQC Shared
|
|
6
6
|
*
|
|
7
7
|
* Unified cryptographic and vault utilities for PQC applications.
|
|
8
|
-
* Combines X25519 (classical) + Kyber ML-KEM-
|
|
8
|
+
* Combines X25519 (classical) + Kyber ML-KEM-1024 (FIPS 203, post-quantum) encryption.
|
|
9
9
|
*
|
|
10
10
|
* FROZEN CONTRACTS - see pqc-docs/specs/ for format specifications.
|
|
11
11
|
*
|
|
@@ -34,7 +34,7 @@ import './runtime/crypto';
|
|
|
34
34
|
// ═══════════════════════════════════════════════════════════════════════════
|
|
35
35
|
|
|
36
36
|
/**
|
|
37
|
-
* @stable Hybrid X25519 + Kyber-
|
|
37
|
+
* @stable Hybrid X25519 + Kyber ML-KEM-1024 (FIPS 203) encryption primitives.
|
|
38
38
|
* The core post-quantum encryption interface.
|
|
39
39
|
*/
|
|
40
40
|
export {
|
|
@@ -54,25 +54,33 @@ export type {
|
|
|
54
54
|
} from './crypto/hybrid';
|
|
55
55
|
|
|
56
56
|
// ═══════════════════════════════════════════════════════════════════════════
|
|
57
|
-
// KYBER (ML-KEM-
|
|
57
|
+
// KYBER (ML-KEM-1024, FIPS 203) (@stable)
|
|
58
58
|
// ═══════════════════════════════════════════════════════════════════════════
|
|
59
59
|
|
|
60
60
|
/**
|
|
61
|
-
* @stable Kyber ML-KEM-
|
|
61
|
+
* @stable Kyber ML-KEM-1024 (FIPS 203) post-quantum KEM primitives.
|
|
62
62
|
*/
|
|
63
63
|
export {
|
|
64
64
|
isKyberAvailable,
|
|
65
65
|
generateKyberKeypair,
|
|
66
|
+
generateKyberKeypairFromSeed,
|
|
66
67
|
kyberEncapsulate,
|
|
67
68
|
kyberDecapsulate,
|
|
68
69
|
kyberWrapKey,
|
|
69
70
|
kyberUnwrapKey,
|
|
71
|
+
KYBER_SUITE,
|
|
72
|
+
KYBER_PUBLIC_KEY_SIZE,
|
|
73
|
+
KYBER_SECRET_KEY_SIZE,
|
|
74
|
+
KYBER_CIPHERTEXT_SIZE,
|
|
75
|
+
KYBER_SHARED_SECRET_SIZE,
|
|
76
|
+
KYBER_SEED_SIZE,
|
|
70
77
|
} from './crypto/kyber';
|
|
71
78
|
|
|
72
79
|
export type {
|
|
73
80
|
KyberKeypair,
|
|
74
81
|
KyberKeypairB64,
|
|
75
82
|
KyberEncapsulation,
|
|
83
|
+
KyberSuite,
|
|
76
84
|
} from './crypto/kyber';
|
|
77
85
|
|
|
78
86
|
// ═══════════════════════════════════════════════════════════════════════════
|
package/src/version.ts
CHANGED
|
@@ -9,15 +9,20 @@
|
|
|
9
9
|
* @see pqc-docs/specs/identity.v1.md
|
|
10
10
|
*/
|
|
11
11
|
|
|
12
|
+
import {
|
|
13
|
+
OMNI_VERSIONS,
|
|
14
|
+
DEPRECATED_VERSIONS,
|
|
15
|
+
} from '@omnituum/envelope-registry';
|
|
16
|
+
|
|
12
17
|
// ═══════════════════════════════════════════════════════════════════════════
|
|
13
18
|
// VERSION CONSTANTS (FROZEN)
|
|
14
19
|
// ═══════════════════════════════════════════════════════════════════════════
|
|
15
20
|
|
|
16
|
-
/** HybridEnvelope version - hybrid encryption format */
|
|
17
|
-
export const ENVELOPE_VERSION =
|
|
21
|
+
/** HybridEnvelope version - hybrid encryption format (from registry) */
|
|
22
|
+
export const ENVELOPE_VERSION = OMNI_VERSIONS.HYBRID_V1;
|
|
18
23
|
|
|
19
|
-
/** Legacy envelope version for backwards compatibility */
|
|
20
|
-
export const ENVELOPE_VERSION_LEGACY =
|
|
24
|
+
/** Legacy envelope version for backwards compatibility (from registry) */
|
|
25
|
+
export const ENVELOPE_VERSION_LEGACY = DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
21
26
|
|
|
22
27
|
/** OmnituumVault version - decrypted vault format */
|
|
23
28
|
export const VAULT_VERSION = 'omnituum.vault.v1' as const;
|
|
@@ -1,55 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Omnituum PQC Shared - Version Constants & Guards
|
|
3
|
-
*
|
|
4
|
-
* FROZEN CONTRACTS: These version strings define the wire format.
|
|
5
|
-
* Breaking changes require a version bump.
|
|
6
|
-
*
|
|
7
|
-
* @see pqc-docs/specs/envelope.v1.md
|
|
8
|
-
* @see pqc-docs/specs/vault.v1.md
|
|
9
|
-
* @see pqc-docs/specs/identity.v1.md
|
|
10
|
-
*/
|
|
11
|
-
/** HybridEnvelope version - hybrid encryption format */
|
|
12
|
-
declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
|
|
13
|
-
/** OmnituumVault version - decrypted vault format */
|
|
14
|
-
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
|
-
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
|
-
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
|
-
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
|
-
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
-
/** Algorithm suite for hybrid encryption */
|
|
20
|
-
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
21
|
-
/** AEAD algorithm for envelope content */
|
|
22
|
-
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
|
-
/** KDF for vault encryption (v1) */
|
|
24
|
-
declare const VAULT_KDF: "PBKDF2-SHA256";
|
|
25
|
-
/** KDF for vault encryption (v2) */
|
|
26
|
-
declare const VAULT_KDF_V2: "Argon2id";
|
|
27
|
-
/** Encryption algorithm for vault */
|
|
28
|
-
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
|
-
/**
|
|
30
|
-
* Validate envelope structure and version.
|
|
31
|
-
* Returns detailed validation result.
|
|
32
|
-
*/
|
|
33
|
-
declare function validateEnvelope(envelope: unknown): {
|
|
34
|
-
valid: boolean;
|
|
35
|
-
version?: string;
|
|
36
|
-
errors: string[];
|
|
37
|
-
};
|
|
38
|
-
/**
|
|
39
|
-
* Validate vault structure and version.
|
|
40
|
-
*/
|
|
41
|
-
declare function validateVault(vault: unknown): {
|
|
42
|
-
valid: boolean;
|
|
43
|
-
version?: string;
|
|
44
|
-
errors: string[];
|
|
45
|
-
};
|
|
46
|
-
/**
|
|
47
|
-
* Validate encrypted vault structure and version.
|
|
48
|
-
*/
|
|
49
|
-
declare function validateEncryptedVault(encVault: unknown): {
|
|
50
|
-
valid: boolean;
|
|
51
|
-
version?: string;
|
|
52
|
-
errors: string[];
|
|
53
|
-
};
|
|
54
|
-
|
|
55
|
-
export { ENVELOPE_VERSION as E, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_KDF as b, VAULT_ALGORITHM as c, VAULT_ENCRYPTED_VERSION_V2 as d, VAULT_KDF_V2 as e, ENVELOPE_SUITE as f, ENVELOPE_AEAD as g, validateEnvelope as h, validateEncryptedVault as i, validateVault as v };
|
|
@@ -1,55 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Omnituum PQC Shared - Version Constants & Guards
|
|
3
|
-
*
|
|
4
|
-
* FROZEN CONTRACTS: These version strings define the wire format.
|
|
5
|
-
* Breaking changes require a version bump.
|
|
6
|
-
*
|
|
7
|
-
* @see pqc-docs/specs/envelope.v1.md
|
|
8
|
-
* @see pqc-docs/specs/vault.v1.md
|
|
9
|
-
* @see pqc-docs/specs/identity.v1.md
|
|
10
|
-
*/
|
|
11
|
-
/** HybridEnvelope version - hybrid encryption format */
|
|
12
|
-
declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
|
|
13
|
-
/** OmnituumVault version - decrypted vault format */
|
|
14
|
-
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
|
-
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
|
-
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
|
-
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
|
-
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
-
/** Algorithm suite for hybrid encryption */
|
|
20
|
-
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
21
|
-
/** AEAD algorithm for envelope content */
|
|
22
|
-
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
|
-
/** KDF for vault encryption (v1) */
|
|
24
|
-
declare const VAULT_KDF: "PBKDF2-SHA256";
|
|
25
|
-
/** KDF for vault encryption (v2) */
|
|
26
|
-
declare const VAULT_KDF_V2: "Argon2id";
|
|
27
|
-
/** Encryption algorithm for vault */
|
|
28
|
-
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
|
-
/**
|
|
30
|
-
* Validate envelope structure and version.
|
|
31
|
-
* Returns detailed validation result.
|
|
32
|
-
*/
|
|
33
|
-
declare function validateEnvelope(envelope: unknown): {
|
|
34
|
-
valid: boolean;
|
|
35
|
-
version?: string;
|
|
36
|
-
errors: string[];
|
|
37
|
-
};
|
|
38
|
-
/**
|
|
39
|
-
* Validate vault structure and version.
|
|
40
|
-
*/
|
|
41
|
-
declare function validateVault(vault: unknown): {
|
|
42
|
-
valid: boolean;
|
|
43
|
-
version?: string;
|
|
44
|
-
errors: string[];
|
|
45
|
-
};
|
|
46
|
-
/**
|
|
47
|
-
* Validate encrypted vault structure and version.
|
|
48
|
-
*/
|
|
49
|
-
declare function validateEncryptedVault(encVault: unknown): {
|
|
50
|
-
valid: boolean;
|
|
51
|
-
version?: string;
|
|
52
|
-
errors: string[];
|
|
53
|
-
};
|
|
54
|
-
|
|
55
|
-
export { ENVELOPE_VERSION as E, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_KDF as b, VAULT_ALGORITHM as c, VAULT_ENCRYPTED_VERSION_V2 as d, VAULT_KDF_V2 as e, ENVELOPE_SUITE as f, ENVELOPE_AEAD as g, validateEnvelope as h, validateEncryptedVault as i, validateVault as v };
|